Monday, September 12, 2011

Lock and Key ACLs (Filtering with IOS Part 3)

I have R1, R2, and R3, and I want to use Dynamic ACLs to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow R1 to open a connection on TCP port 80 to R3, but only after R1 authenticates to R2. I have RIP running between the three routers, and I want that to remain operational.

To accomplish this, I'll create an access-list on R2 with a dynamic entry for www access from R1 to R3. On the vty lines, I'll set login local. . For the dynamic ACL, I will have to log into R2 via telnet and issue the access-enable command. This command creates the dynamic entry under the access-list. I'll create a user named jason with a password of cisco, and allow telnet inbound on the ACL.!ip access-list extended 100 permit tcp any any eq telnet permit udp any any eq 520 dynamic HTTP permit tcp any host 10.1.23.3!username jason password cisco!line vty 0 4 login local!

R3 is running ip http services and the ip http path has been set for flash:/. For demonstration, I will attempt to connect from R1 to R3 via http.R1#http://jason:cisco@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin null: %Error opening http://*****:*****@10.1.23.3/c2600-adventerprisek9-mz.124-10c.bin (I/O error)

And now when I look at the ACL on R2, I see the permit entry under the dymanic ACL.R2#sh access-list 100Extended IP access list 100 10 permit tcp any any eq telnet (201 matches) 20 permit udp any any eq 502 30 Dynamic HTTP permit tcp any host 10.1.23.3 permit tcp any host 10.1.23.3

Notice that the entry allows any to host 10.1.23.3. I'll clear the dynamic ACL on R2 and issue the access-enable host command from R1 while connected to R2's vty line to see the difference.R2#clear ip access-template 100 HTTP any host 10.1.12.3

At this point, I don't have idle or absolute timeout configured. This entry will remain in the dynamic access list until I manually remove it with the clear access-template command. NOTE: The clear access-template command doesn't appear to work on named ACLs, and that's why I've used the number 100 for this ACL's name.R2#clear access-template 100 HTTP any host 10.1.23.3R2#sh access-list 100 Extended IP access list 100 10 permit tcp any any eq telnet (282 matches) 20 permit udp any any eq 502 30 Dynamic HTTP permit tcp any host 10.1.23.3

Now I'll remove line 30 from the ACL, and add it back with an absolute timer.R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#ip access-list ext 100R2(config-ext-nacl)#no 30R2(config-ext-nacl)#30 Dynamic HTTP timeout 1 permit tcp any host 10.1.23.3

Now I'll telnet to R2 from R1 and issue the access-enable command.If my job will run longer than the timeout configured, then I can log in again and issue the access-enable command to extend the session by 6 minutes.

If I don't care to issue the access-enable command, I can configure the username with the autocommand command as such.